Audio/video stream recording forums > Streaming media recording forum > rtmpdump > Hdcast.org token challenge

Here goes another token challenge.

The swf:

http://77231864591d8245d027-dbd663cdd4719bbeb13e13f9ee6e6f1f.r39.cf5.rackcdn.c om/bba.swf

Testing site:

http://cricfree.tv/update/skys1.php

It can be done with RABCDASM like in http://stream-recorder.com/forum/showpost.php?p=63568&postcount=16 but they have added another obfuscation layer, obfuscating a binary inside the swf.

Feel free to add suggestions or any helpful info.

Just for fun they have included nice messages inside the swf :D :

If you see this message because you are probably a bad guy. For more info go OUT!!

They can run, but they cannot hide ;) Check your inbox...



http://i.imgur.com/0l61pRP.png

That's great. What method did you use? Dumping memory, dissasembling..etc?

They can run, but they cannot hide ;)

:rolleyes:

Here goes another token challenge.

The swf:

http://77231864591d8245d027-dbd663cdd4719bbeb13e13f9ee6e6f1f.r39.cf5.rackcdn.c om/bba.swf

Testing site:

http://cricfree.tv/update/skys1.php

It can be done with RABCDASM like in http://stream-recorder.com/forum/showpost.php?p=63568&postcount=16 but they have added another obfuscation layer, obfuscating a binary inside the swf.

Feel free to add suggestions or any helpful info.

Can you please give me some info as I cant dump my sky films streams now, any pointer or directions would be good,
Thanks in advance for any help :)

UPDATE: got a dump but still not running in rtmpdump, output bellow!

RTMPDump 2.4 git-6230845 2011-9-25
(c) 2010 Andrej Stepanchuk, Howard Chu, The Flvstreamer Team; license: GPL
DEBUG: Protocol : RTMP
DEBUG: Hostname : rtmp.hdcast.org
DEBUG: Port : 1935
DEBUG: Playpath : action
DEBUG: tcUrl : rtmp://rtmp.hdcast.org:1935/redirect/
DEBUG: swfUrl : http://77231864591d8245d027-dbd663cdd4719bbeb13e13f9ee6e6f1f.r
39.cf5.rackcdn.com/bba.swf
DEBUG: pageUrl : http://www.hdcast.org/embedlive2.php?u=action&vw=620&vh=490&do
main=cricfree.tv
DEBUG: app : redirect/
DEBUG: flashVer : WIN 12,0,0,77
DEBUG: live : no
DEBUG: timeout : 30 sec
DEBUG: SWFSHA256:
DEBUG: ac 11 26 f9 48 52 bb 20 b9 ce 0f 27 15 80 e3 ba
DEBUG: 71 b6 6a 89 f7 1a 80 ed ca cd 21 d1 1d 55 36 d5
DEBUG: SWFSize : 231564
DEBUG: Setting buffer time to: 36000000ms
Connecting ...
DEBUG: RTMP_Connect1, ... connected, handshaking
DEBUG: HandShake: Client type: 03
DEBUG: HandShake: Client digest offset: 53
DEBUG: HandShake: Initial client digest:
DEBUG: 1a 4d 84 b8 f2 37 69 f1 2c a6 34 51 7c d6 df 4b
DEBUG: 69 f8 c9 b8 48 05 8b 66 c3 92 be e8 29 bf 5a 67
DEBUG: HandShake: Type Answer : 03
DEBUG: HandShake: Server Uptime : 96850052
DEBUG: HandShake: FMS Version : 3.0.1.1
DEBUG: HandShake: Calculated digest key from secure key and server digest:
DEBUG: 9e ed a0 e9 fc b3 3f d8 7e 08 1f 41 80 75 a1 bb
DEBUG: a5 5c ec c1 5f 4c 3d f0 27 7f 69 ae b0 f9 45 47
DEBUG: HandShake: Client signature calculated:
DEBUG: fd 79 74 36 2a 2c e3 8e 47 6b 78 79 fd 17 fe ce
DEBUG: 3b d6 19 d8 30 cf ce a5 ab 80 01 61 a7 15 e8 28
DEBUG: HandShake: Server sent signature:
DEBUG: 1c dd 10 37 1b d4 58 44 47 f5 b3 6a 44 c8 9f 75
DEBUG: 97 bf 59 01 ec f5 f4 95 c7 84 4f df 93 81 8c 0a
DEBUG: HandShake: Digest key:
DEBUG: 44 aa 38 01 c1 5a 33 83 dc 8d 0a 98 8d 03 39 12
DEBUG: 5e 99 2f a3 23 67 b6 a8 81 5a 6b e0 14 43 12 a8
DEBUG: HandShake: Signature calculated:
DEBUG: 1c dd 10 37 1b d4 58 44 47 f5 b3 6a 44 c8 9f 75
DEBUG: 97 bf 59 01 ec f5 f4 95 c7 84 4f df 93 81 8c 0a
DEBUG: HandShake: Genuine Adobe Flash Media Server
DEBUG: HandShake: Handshaking finished....
DEBUG: RTMP_Connect1, handshaked
DEBUG: Invoking connect
INFO: Connected...
DEBUG: HandleServerBW: server BW = 2500000
DEBUG: HandleClientBW: client BW = 2500000 2
DEBUG: HandleCtrl, received ctrl. type: 0, len: 6
DEBUG: HandleCtrl, Stream Begin 0
DEBUG: HandleChangeChunkSize, received: chunk size change to 4096
DEBUG: RTMP_ClientPacket, received: invoke 234 bytes
DEBUG: (object begin)
DEBUG: Property: NULL
DEBUG: (object begin)
DEBUG: Property: <Name: level, STRING: error>
DEBUG: Property: <Name: code, STRING: NetConnection.Connect.Re
jected>
DEBUG: Property: <Name: description, STRING: Connection failed: Appli
cation rejected connection.>
DEBUG: Property: <Name: ex, OBJECT>
DEBUG: (object begin)
DEBUG: Property: <Name: redirect, STRING: rtmpe://46.246.124.11:19
35/redirect>
DEBUG: Property: <Name: code, NUMBER: 302.00>
DEBUG: (object end)
DEBUG: Property: <Name: clientid, NUMBER: 1591378394.00>
DEBUG: (object end)
DEBUG: (object end)
DEBUG: HandleInvoke, server invoking <_error>
ERROR: rtmp server sent error
DEBUG: RTMP_ClientPacket, received: invoke 18 bytes
DEBUG: (object begin)
DEBUG: Property: NULL
DEBUG: (object end)
DEBUG: HandleInvoke, server invoking <close>
ERROR: rtmp server requested close
DEBUG: Closing connection.

Any one help me with getting the last challenge please? I am a bit new at dumping I dont ask to be spoon feed, just a hand would be good :D

I'd be very interested in it as well, because I notice that some public streaming services are adopting this "obfuscation" technique, in order to hide their token (which is a nonsense, as they are free public services and should freely allow the streaming capture).
And I tried to identify the string "secureTokenResponse" in the decompiled swf, obviously without success...
I will send a pm with the hope to find out the right strategy to solve this new issue...
Thanks in advance for the help

it is not really rocket science just dump and grep

rtmpdump -r "rtmp://31.220.0.138:1935/redirect" -a "redirect" -f "LNX 11,2,202,350" -W "http://www.eucast.tv/player5.9.swf" -p "http://www.eucast.tv" -y "ss1x" | vlc - &>/dev/null
RTMPDump v2.4
(c) 2010 Andrej Stepanchuk, Howard Chu, The Flvstreamer Team; license: GPL
WARNING: You haven't specified an output file (-o filename), using stdout
Connecting ...
INFO: Connected...
INFO: rtmp server sent redirect
INFO: trying to connect with redirected url
Starting download at: -0.001 kB
INFO: Metadata:
INFO: duration 0.00
INFO: width 640.00
INFO: height 360.00
INFO: videodatarate 439.45
INFO: framerate 29.00
INFO: videocodecid 7.00
INFO: audiodatarate 125.00
INFO: audiosamplerate 22050.00
INFO: audiosamplesize 16.00
INFO: stereo TRUE
INFO: audiocodecid 10.00
INFO: encoder Lavf54.63.104
INFO: filesize 0.00

rtmpdump -r "rtmpe://rtmp.hdcast.org:1935/redirect/" -a "redirect/" -f "LNX 11,2,202,350" -W "http://77231864591d8245d027-dbd663cdd4719bbeb13e13f9ee6e6f1f.r39.cf5.rackcdn.c om/bba.swf" -p "http://www.hdcast.org" -y "action" -T '#yw%tt#w@kku' | vlc - &>/dev/null
RTMPDump v2.4
(c) 2010 Andrej Stepanchuk, Howard Chu, The Flvstreamer Team; license: GPL
WARNING: You haven't specified an output file (-o filename), using stdout
Connecting ...
WARNING: Trying different position for server digest!
INFO: Connected...
INFO: rtmp server sent redirect
INFO: trying to connect with redirected url
WARNING: Trying different position for server digest!
Starting download at: -0.001 kB
INFO: Metadata:
INFO: duration 0.00
INFO: width 640.00
INFO: height 360.00
INFO: videodatarate 390.62
INFO: framerate 29.97
INFO: videocodecid 7.00
INFO: audiodatarate 125.00
INFO: audiosamplerate 22050.00
INFO: audiosamplesize 16.00
INFO: stereo TRUE
INFO: audiocodecid 10.00
INFO: encoder Lavf54.63.104
INFO: filesize 0.00

Thanks anyway for the answer, Mckv, but the original post was about the swf player of hdcast, not eucast.
I know that the eucast token is not hard to find.

Here is an example of a channel that is still hosted on Hdcast.org:

rtmpdump -r "rtmpe://46.246.124.24:1935/redirect" -a "redirect" -f "WIN 12,0,0,77" -W "http://77231864591d8245d027-dbd663cdd4719bbeb13e13f9ee6e6f1f.r39.cf5.rackcdn.c om/bba.swf" -p "http://www.hdcast.org/embedlive2.php?u=BST15&vw=640&vh=460&domain=hdfoots.com" -y "BST15" -o "2014-04-11_06-22-53_BST15.flv"

I don't know what really happened, but fortunately now hdcast streams can be dumped again without the need of any "mysterious tokens".

So for the moment the hdcast issue seems solved